MISSING: Settings -> Privacy & Security -> Logins and passwords -> Ask to save logins and passwords for websites

[RedSteel-1]

First of all, thanks for this great browser.

I wanted to properly configure it and use it as my main browser, however, there is something wrong. I was very surprised when I saw that the entire "Logins and passwords" section is not present in Settings -> Privacy & Security, which makes it impossible to configure the browser to save logins and passwords. As a bonus, I didn't find a way to activate saving/autofilling of forms either.

Request: I would like to ask to add the "Logins and passwords" section back, and make it possible to activate saving of passwords (and forms autofilling). In the meanwhile, would like to ask to provide a method for activating these features manually (about:config params, etc.).

I am not able to switch to Mullvad as my main browser as long as these every-day-browsing features are deactivated and unavailable.

[benn125]

A big +1!

Dear devs, please, make these settings available. It would be really great to be able to configure the behavior of the browser according to the needs. Mullvad is currently my secondary/additional browser, it will instantly become primary/only browser on my PC once saving of passwords and logins becomes available/configurable.

PS: Not only I feel the inconvenience (even though I can deal with it somehow), During the process of de-Googling my parents and improving their online privacy and secuity, they said they are staying on Chrome (the pain for my eyes) and denied to use Mullvad because of this issue, they think it's broken (ofcourse it's not, but try to explain it to those who don't understand almost anything about browsers and other programs and computer stuff generally).

[RedSteel-1]

Sadly, the request to provide a method for activating these features manually as a temporary solution has not been heard so far. So I decided to do some research and try to find a temporary manual solution by myself.

The about:config parameters responsible for activating the features in question are: signon.rememberSignons -> true signon.autofillForms -> true

In Mullvad it's impossible to change the values because they are locked, likely somewhere in the browser's code.

So, I had to create the following file: Browser\defaults\pref\autoconfig.js With the following contents:

pref("general.config.filename", "mullvad.cfg");
pref("general.config.obscure_value", 0);

And then create the following file: Browser\mullvad.cfg With the following contents:

unlockPref("signon.rememberSignons");
unlockPref("signon.autofillForms");

After doing this and restarting the browser, signon.rememberSignons and signon.autofillForms in about:config became unlocked.

I changed them to "true", and checked if all these manipulations worked.

Shortly: unfortunately No. When typing username and password on some login page, the prompt to save username-password does pop up indeed. However, in fact they never get saved. And when I log out and go to the same login page again, username-password are not auto-filled, and once they are entered again and the login button on the page is pressed, the popup for saving username-password shows up again. (Moreover, the "Settings -> Privacy & Security -> Logins and passwords" section on the settings page is still missing, so even if the saving worked, it would be impossible to delete the saved username-password entries).

I don't know why it is like that. It's a sad situation.

[Thorin-Oakenpants]

However, in fact they never get saved

Because the password manager is forced to memory only by a pref

---

edit

prefs

Please stop recommending pref changes

• signon.autofillForms only controls whether to autofill, and you shouldn't do this for security reasons (xss, spoofing). Username & password is still available when you enter the field. Mozilla are also considering making this pref false

tl;dr: don't mess with prefs, wait for MB to address the threat model and make changes that relax some disk requirements. These things take time

[RedSteel-1]

Please stop recommending pref changes

Where did I recommend this?

signon.autofillForms only controls whether to autofill, and you shouldn't do this for security reasons tl;dr: don't mess with prefs

• Sounds good for the use case when the browser is used for maximal security, for one-time use / one-time website surfing and changing identities.
• Sounds bad for the use case when the browser is intended to be used as the default and the main every-daily browser with the password/login saving and autofill settings relaxed, allowed and enabled.

wait for MB to address the threat model and make changes

Ok, hope this will get the devs' attention, as this issue is probably the main game stopper for the browser's second use case mentioned above.

The things should be configurable and open for the user, so that the user can configure and tweak the browser to operate the way the user needs.

[ruihildt]

@A-7666 Thanks for you detailed feedback an use-case. And sorry I couldn't answer earlier, coming back today from a month AFK.

As @Thorin-Oakenpants is saying, we'll soon be reviewing the Mullvad Browser threat model based on the feedback we have received since the initial release. Our priority is to make it usable by most people as their default browser.

[RedSteel-1]

@ruihildt , Thanks, this is super-cool to hear, looking forward! :-) Mullvad Browser is hands down an awesome and a very promising browser, impatient to set it as default for myself and my family and friends.

[Anderhar]

Mozilla's password manager (ex. Lockwise) is in fact the only FOSS solution that requires neither off-browser software nor trust to any cloud provider. In this respect, it is pure gold that is unwise to throw away. Please bring it back.

[Anderhar]

And by the way, instead of complete removal, it would be better to force the user to set the master password before using the built-in password manager. This simple measure eliminates the main complaints about its security, and this is a really healthy practice without any extremism, because many users don't even know how important the master password is from a technical point of view.

[RedSteel-1]

Has there been any progress so far?

[Thorin-Oakenpants]

https://gitlab.torproject.org/tpo/applications/team/-/wikis/Goteburg-2023-Meeting-Notes/mullvad-passwords

[FlailAway]

I'd like to toss in my 2c-worth here too. having the password manager available for trivial passwords would be a great help. I feel safe in assuming that people who understand using Mullvad browser/VPN are smart enough to decide their threat level.

Storing trivial passwords in the browser is handy and that's why I mostly use librewolf (LW) and rarely use Mullvad. I trust Mullvad way more and would use it exclusively, but the constant calls to an external password manager finally beats me down and back to LW.

[gentoosys]

Can't migrate to mullvad browser because of missing password manager. Anything on this?